Sample ICT306 Advance Cybersecurity Report 2

ICT306 Advance Cybersecurity Report 2 Sample

Assignment Details

Case Study: Security Breach at TechCo Pty Ltd.

Background: TechCo Pty Ltd. is a multinational technology company that specializes in developingmcutting-edge software solutions for various industries. With a wide customer base and a strong reputation for innovation, TechCo Pty Ltd. has been at the forefront of the technology landscape for years. However, the company recently faced a major security breach that has had far-reaching consequences. The breach involved the compromise of sensitive customer data, including personally identifiable information (PII) and financial details. This incident has not only damaged the company’s reputation but has also raised serious concerns about the effectiveness of TechCo Pty Ltd cybersecurity measures.

Issue: During the investigation, it was discovered that the attackers utilized a combination of sophisticated techniques to gain unauthorized access to TechCo Pty Ltd’s systems. They began by conducting thorough footprinting, reconnaissance, and enumeration activities. Through publicly available information, online forums, and social media platforms, the attackers gained insights into TechCo Pty Ltd’s network infrastructure, identifying potential vulnerabilities and weaknesses. This detailed reconnaissance allowed them to map out the organization's systems and determine potential entry points for their attack.

Building upon their initial reconnaissance, the attackers proceeded to conduct scanning and sniffing activities. By using specialized tools and scanning techniques, they identified open ports, services, and protocols that were vulnerable to exploitation. Additionally, through network sniffing, the attackers were able to capture and analyze network traffic, seeking sensitive information such as usernames, passwords, and other credentials. This gave them a deeper understanding of TechCo Pty Ltd’s network architecture and allowed them to identify potential targets for their subsequent malicious activities.

Incident Details: In addition to technical methods, the attackers employed social engineering tactics to bypass TechCo Pty Ltd.'s security defences. They crafted sophisticated phishing emails that appeared to be legitimate and targeted specific employees within the organization. Through these deceptive emails, the attackers tricked employees into clicking on malicious links or opening infected attachments, thereby compromising their workstations and providing the attackers with unauthorized access. Furthermore, the attackers utilized phone calls posing as TechCo Pty Ltd. IT support personnel to manipulate unsuspecting employees into divulging sensitive information or unwittingly providing access credentials.

Once inside the network, the attackers launched a series of coordinated attacks, including denial of service (DoS) attacks, buffer overflow exploits, and system hacking/password cracking/privilege escalation techniques. These attacks disrupted TechCo Pty Ltds systems, causing significant
downtime and hampering the organization's ability to deliver products and services to its customers.

Result: The repercussions of this security breach have been extensive. In addition to financial losses and reputational damage, TechCo Pty Ltd. is now faced with the challenge of rebuilding customer trust and implementing robust security measures to prevent future incidents. The incident highlights the critical importance of comprehensive cybersecurity strategies that encompass not only technical safeguards but also employee education and awareness programs. Ethical issues and frameworks play a vital role in guiding organizations' cybersecurity practices, emphasizing the need for responsible and ethical handling of customer data.

Question 1

Describe the techniques used by the attackers for footprinting, reconnaissance, enumeration, scanning, and sniffing during the security breach. Discuss the implications of each technique on the organization’s security posture.

As part of executing penetration testing for the organization, include footprinting/reconnaissance (collect/gather information about the organization) using tools like Nmap or Zenmap.

Should scanning your selected organization prove unsuccessful, gather data on your virtual Windows 10 machine using tools like Nmap or Zenmap. This data should encompass the operating system, IP address, status of ports (whether they’re open, closed, or filtered), and the versions of those ports, among other details. Please make sure to include screenshots of your activities within the report. These will serve as proof of your experiment& execution.

Question 2

Explain the concept of social engineering and its relevance to the security breach. Identify and discuss at least three social engineering tactics that could have been employed by the attackers. Provide recommendations on how the organization can mitigate the risks associated with social engineering attacks.

You’ll be exploring the use of social engineering tools available in Kali Linux to understand how a User’s email address and password can be compromised. You will be tasked with setting up a simulated scenario using the Social-Engineer Toolkit (SET) to create a counterfeit Gmail login page. Demonstrate the process by which a user's email password might be captured when they unknowingly enter their details into the fraudulent website. Please make sure to include screenshots of your activities within the report. These will serve as proof of your experiment’s execution.

Question 3

Discuss the impact of the denial of service (DoS) attack on the organization’s systems and services. Identify the different types of DoS attacks that could have been used in this scenario and explain how they disrupt the availability of systems. Propose countermeasures to prevent or mitigate the impact of DoS attacks.
To demonstrating a denial of service (DoS) attack simulation, employ SYN Flooding with hping3 to launch a DoS attack against your virtual Windows 10 machine from your Kali Linux setup. During this experiment, utilize Wireshark to verify the effectiveness of the DoS attack on the Windows 10 machine. Ensure to capture and provide screenshots of the process. Please make sure to include screenshots of your activities within the report. These will serve as proof of your experiment’s execution.

Question 4

Explain the concept of buffer overflow and its potential exploitation by attackers. Discuss the consequences of a successful buffer overflow attack on the organization’s systems. Provide recommendations on how the organization can prevent buffer overflow vulnerabilities. Further, assess the organization's vulnerabilities using tools such as Nikto or OWASP ZAP. If evaluating your organization's vulnerabilities doesn’t pan out, shift your focus to analysing vulnerabilities on scanme.nmap.org using Nikto or OWASP ZAP. In both scenarios, it’s essential to document your process through screenshots. Please include snapshots of your efforts in footprinting both your organization and your Windows 10 machine, as well as in conducting a vulnerability assessment for both your organization and scanme.nmap.org.

Please make sure to include screenshots of your activities within the report. These will serve as proof of your experiment’s execution.

Question 5

Analyse the techniques used by the attackers to gain unauthorized access to the organization’s systems, including system hacking, password cracking, and privilege escalation. Discuss the potential risks associated with these attacks and propose effective countermeasures to enhance system security.
You’re tasked with setting up a new user on an FTP server running on your virtual Windows 10 machine.

Solution

Question 1:

 

The ipconfig command is used on the Windows 10 operating system, and the machine’s network configuration information is obtained. The output lists different types of addresses, including the so-called IPv4 address, with a value of 192. 168. 182. 116, which is the focus of the further network scan. Other network elements are also presented, such as a temporary IP address of 192. 168. 88. 220 and the link-local IPv6 address of FE80::5054: 64CF:F7CF: BA6. The temporary IPv6 address is 2001: 0: 5054: 64CF: F7CF: BA6: 2, and the default gateway address is 192. 168.1.0.

Figure 2: Result of “Nmap” scan of “192.168.182.116”

In Figure 2, the target machine IP address is 192. 168. 182. 116 is scanned using the Nmap tool in Kali Linux. The scan reveals that four ports are open such as Wbem, file and printer sharing services msrpc 135/TCP, NetBIOS 139/TCP, Microsoft 445/TCP, and wsdapi 5357/TCP. These ports relate to Microsoft services, which can probably be attacked if there are weaknesses or openings.

Figure 3: Port scanning of “192.168.182.116” IP address

Figure 3 shows a port scan (-p-) launched on the target IP (192. 168. 182. 116) through Nmap. This scan probes all 65,535 possible TCP ports and identifies six open ports. The other TCP numbers identified include 135, 139, 445, 5040, 5357, and 7680. There are supported several services msrpc and netbios-ssn, hence showing that several network services are running on the given machine. The extra open ports (5040 and 7680)contain an added chance to take benefit.

Figure 4: Aggressive scan of “192.168.182.116”

Figure 4 shows another scan done using the Nmap tool, a more aggressive scan marked by -A on the target IP 192. 168. 182. 116. Open ports and previously identified services are present in the scans, and it was discovered that the target machine is using either Windows 10 or Windows Server 2019. the assignment helpline It also indicates that the service running on port 5357 (http) gives the message of ‘service unavailable’.

Figure 5: Host-script result of aggressive scan

The host script that is obtained when attacking with an aggressive scan, probably with Nmap, offers plenty of information concerning the target system. It shows the NetBIOS name of the computer as DESKTOP-FWQ2QF1 and NetBIOS user. The smb2-time results suggest that message signing is on but not mandatory, which means a moderate level of security configuration, as displayed below. Also, the MAC address information ‘Oracle VirtualBox NIC’ points towards the fact that the system is in a virtual environment. From the traceroute details, one hop with the IP address of 192. 168. 182. 116, with a round trip time (RTT) of 2.05 ms.

Figure 6: Network packet capturing using “wireshark”

The figure below shows an example of a network packet capture with Wireshark, an application used to capture and analyze network traffic. The capture most probably targets the host and network service interaction. Wireshark depicts features including the source (Src) and destination (Dst) IP address, protocols (TCP, UDP), packet size and other features related to the transmission.

Figure 7: Another details of a network packet

This figure presents further particularities of a single network packet captured with the Wireshark tool. It demonstrates that specific protocols such as SSOP (Secure Socket Offloading Protocol) probably indicate secure traffic, providing metadata on different carrying information including TTL(times to live), packet size, and source and destination port numbers.

Figure 8: Information gathering using “dig” tool

This figure illustrates the result of using the dig tool, which is a powerful tool of Kali Linux for performing DNS querying and gathering information on a given domain. The command queries amazon. query com for any DNS records. This output shows different types of records being looked for, which include A (IPv4), AAAA (IPv6), and NS (Name servers), giving a view of the underlying Amazon infrastructure.

Question 2:

 

This figure illustrates the starting point of an actual social engineering attack using the widely known tool known as the Social-Engineer Toolkit (SET). The user gets a list of options, which are available to attack like Social-Engineering Attacks, Penetration Testing, Update SET configuration etc.

Figure 10: Selecting “Website attack vectors” option

In the SET, the user chooses the Website Attack Vectors from the list of options available on the terminal. This option allows the attacker to establish bogus Web sites aimed at ‘tricking’ users with the intention of capturing their username and password or by delivering malware through web-borne attacks like phishing and drive-by exploitation.

Figure 11: Choosing “Credential harvester attack method”

the user picks the Credential Harvester Attack Method from the Website Attack Vectors. This method mimics other genuine websites and logs into the usernames and passwords entered by unsuspecting users. Another thing that is targeted in phishing attacks is the theft of usernames, passwords or any other information.

Figure 12: Choosing “Web templates” option

The Web Templates is chosen by the user to launch a fake website with the help of several types of templates. This makes it easier for a hacker to set up the cloned website for capturing people’s log-in credentials. These templates are copies of real websites and thus they seem as real as possible, which in turn increases the probabilities of deceiving users.

Figure 13: Providing the target IP address

The last step is adding the target IP address for the operation, which is the credential harvester attack. The destination IP address is where the harvested credentials is delivered. In this case, the IP address 192. 168. 182. 209 is given here, which depicts the attacker’s system, which collect the credentials if the victim engages in the clone site.

Figure 14: Choosing the fake website template

This figure depicts the selection of a dummy website template in the Social-Engineer Toolkit, commonly referred to as the SET in Kali Linux. This tool assists its users in copying legitimate websites to make fake phishing pages. In this case, the user chooses template ‘2’, which is likely to be Google, Twitter, or another popular site that helps the attacker harvest the user credentials.

Figure 15: “Social engineering” attack is started

This figure shows how a valid website is copied to launch a social engineering attack. This is courtesy of the HTTP GET requests as the tool replicates the selected website. The cloned sitetrick the target into submission and supply sensitive data, such as login information, through what looks like a trusted interface.

Figure 16: Find the fake website in the target system “Windows 10”

This figure shows the fake phishing website launched on the target system having Windows 10. The actual page cloned from the Google sign-in page is also visible, where users are asked to put their log in details. After the victim has entered details, they are recorded by the attacker, thus making phishing attacks effective in social engineering.

Question 3:

 

This figure demonstrates the use of the hping3 tool in Kali Linux to perform a Distributed Denial of Service (DDoS) attack. The command hping3 -S—-flood -V 192. 168. 182. 116 initiates a flow of TCP SYN packets to the target IP address and thus contributes to high network loads. It is run in flood mode, and none of the packet replies are displayed.

Figure 18: High CPU usage of target system due to “DDoS” attack

This figure depicts the effect of the DDoS attack in resource utilization of the target system. The task manager shows that the CPU usage is at 97% and memory usage at 95% to show that the attack is overwhelming the system’s processing capability andslow it down.

Figure 19: Capturing the network packets after doing “DDoS” attack

This figure shows the use of a network monitoring tool such as Wireshark in capturing packets produced during the DDoS attack. The tool scans the excessive flow of SYN packets aimed at the target system, in order to analyze the characteristics of the traffic and check the efficiency of an attack.

Figure 20: Providing the information about a specific network packet

This figure provides information about a network packet captured during the performance of DDoS, which is given by this figure. Using the data presented in the picture, it is possible to identify the source and destination addresses of Ethernet, probably protocol (TCP), and the packet size. It emphasises the packet sequence numbers in an attempt to show the progress of the attack in addition to assisting in analysing the network traffic in the event of an attack.

Question 4:

In this figure, the user is browsing a sample vulnerability site to test the site for security. The IMAGE depicts the links to vulnerabilities, AJAX sampling, and areas of an insecure site without security headers. The content explains possible vulnerabilities that an intruder can take advantage of; it presents safety challenges in a web platform.

Figure 22: Find the details about the vulnerable website using “nikto” tool

The figure illustrates Nikto, a web server vulnerability scanner used to find problems on a target site. The tool highlights some of the HTTP security headers missing in web applications, including “X-Frame-Options” and “Content-Type-Options,” which help counter threats such as clickjacking and content spoofing, respectively. The output provides and exposes some of the defects in web security.

Question 5:

It captures the user in a Kali Linux terminal, where the user navigates the terminal and changes the working directory to /home/kali/Desktop. There are files of the directory listed to include ‘abcd. zip,’ ‘ddos. pcapng,’ and ‘password. txt.’ This command relieves a user's current location in the filesystem to show the existence of files frequently used by the cyber-security officer in activities like password cracking and a DoS analysis.

Figure 24: Performing password attack using “hydra” tool

This figure displays how a password attack is launched using the ‘Hydra’ tool, a network logon cracker. The command starts with 12 actions per server, all designed to perform login password cracking. The process involves the use of one password per task or in other words, the trial of one password.

Figure 25: The result of password attack

The figure shows a successful password attack on the target machine, which is 192. 168. 143. 116. The “Hydra” tool identifies the valid login credentials such as username as “admin” and password as “123. “ This shows that the system's security has been left vulnerable due to poor credentials, an aspect that attackers can use.

Bibliography